CISOs' No. 1 Concern in 2018: The Talent Gap

Survey finds 'lack of competent in-house staff' outranks all other forms of cybersecurity worry, including data breaches to ransomware attacks.

The top concern among CISOs for 2018 falls outside the typical realm of attacks, employee negligence, or staffing shortages, according to findings released this week in a Ponemon Institute Survey.

The top concern: "lack of competent in-house staff."

"I am not surprised that this was a leading concern - it is consistent with what we have been hearing as a critical need and gap in the market. However, being the leading concern was somewhat surprising if you follow what’s typically the most reported consequences of the staffing situation: breaches and cyberattacks," says Lee Kirschbaum, senior vice president and head of product, marketing, and alliances at Opus, which commissioned the report.

Larry Ponemon, author of the report, says he was also was surprised by the finding, adding that typically data breaches, ineffective security tools, or some other technical aspect of guarding security tops the concerns list. Workforce issues are usually somewhere in the middle, he says.

According to the survey of 612 chief information officers and IT security pros, the top five threats that worry them the most in 2018:

70%: lack of competent in-house staff

67%: data breach

59%: cyberattack

54%: inability to reduce employee negligence

48%: ransomware

A majority of survey respondents, 65%, also believe attackers will be successful in duping employees to fall for a phishing scam that will result in the pilfering of credentials – even more so than the organization suffering from a data breach or cyberattack.

"It is one of the oldest forms of cyberattacks, dating back to the 1990s, and one of the most widespread and easier forms of attacks," Kirschbaum says. "It targets one the weakest links – the human factor - and focuses on human behavior to encourage individuals to discuss sensitive information."

Challenging technologies for IT security professionals in 2018 include IoT devices, 60%; mobile devices, 54%; and cloud technology, 50%, according to survey respondents.

Over the last year or two, CISOs have been increasingly talking about how to secure IoT devices and the challenges they pose, Ponemon says. Their questions have ranged from how to encrypt a smart lightbulb to whether IoT security should rest on the company or the manufacturer, he notes.

Gloom and Doom

CISOs exhibited a general sense of gloom in their survey responses, says Ponemon.

"Maybe security people are stoic. They don't see 2018 as a year for improvement, and that security risks are becoming a greater problem," notes Ponemon.

The survey found 67% of respondents believe their organizations are more likely to fall victim to a data breach or cyberattack in the New Year.

And the majority of respondents expect breaches and attacks to stem from inadequate in-house expertise (65%); inability to guard sensitive and confidential data from unauthorized access (59%); an inability to keep pace with sophisticated attackers (56%); and a failure to control third parties' use of company's sensitive data (51%), according to the survey.

"The sheer volume of information, ranging from threat intelligence to third-party assessments, continues to increase," Kirschbaum says. "In an environment with increasing risks from new threats, new disruptive technologies, and legacy systems that continue to demand attention, companies are simply unable to bring on enough qualified staff to keep up."

Despite all the talk of an IT security labor shortage, survey respondents appear relatively optimistic that improvements may be on the horizon in 2018. According to the survey, 61% of respondents believe they could see staffing improvements in 2018. That coincides with other research that Ponemon Institute is involved with, Ponemon says.

Four years ago, a Ponemon survey found 40% of IT security respondents complained that job openings went unfilled because they could not find candidates, but that figure has since dropped to 32% based on a follow-up survey this year, Ponemon says.

Despite potential staffing improvements, CISOs and other IT security professionals foresee stress in the New Year, according to the report.

Source: Ponemon Institute Survey and Opus

"Overall, threats are multiplying, CISOs are having trouble finding in-house resources to keep up – and above all, are worried about threats they have limited control over, like the billions of new devices in the Internet of Things, each bringing with them potential new security threats and the always unpredictable element of human behavior," Kirschbaum says.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

I would trace the talent gap to the career path destruct that corporate America has placed on IT professionals over the years. Why go into a field when, eventually, management will outsource you and that is that. CyberSecurity is a NEW field and it is a tough one to get a degree in. I am currently with a malware forensics unit and have learned alot in short time.

That said, good logical restore and rebuild protocols are LONG in order. Data exfiltration aside, ransomware attacks are the same as hard drive failure. Think about it.

Backup and disaster resocvery plans are often OUT of data if used at all and, worse, rarely tested.

Workstation recovery is easy IF you have a good protocol and it can be anything from simple GHOST image to PXE login to server.

As an independent consultant, I was very proud of a 3 hour recovery window when one of my accounts, a 501C3, got Cryptolocked in January of 2014. Because I had good off-site storage protocols in place, I was able to restore all SERVER DATA within 2 hurs of on-site arrival the next day. Plus my recovery protocol was SIMPLE AND TESTED so I knew what to do.

Whether I would be allowed to enroll in a programmer/analyst curriculum at a specialized computer training school in the 1970s, was determined by aptitude tests. Once in the program, I could see that degrees, even advanced degrees, in what's now called STEM, were not reliable indicators of the analytic and logical skills required in this field. This is even more true today.

Is it farfetched to say that the primary reasons companies limit their IT candidate searches, to applicants with CS degrees or other certifications, are to make it easier on HR departments, and to provide cover for hiring the wrong people? Remember the adage: "No one was ever fired for buying IBM". Was IBM always the best choice? No, but it was the safe one, for those who signed off on it.

That there is a talent gap might well be because companies have forgotten where and how to look for it, nurture and protect it.

Regarding "in house": First recognize the distinction between outsourcing and offshoring - the later implies the former, but not the other way round. In both cases, companies must use good and informed judgement as to which tasks are suitable for either, and about who they are taking on as partners - because all IT relationships are intimate.

The concerns particular to offshoring center on jurisdictional control. Look no further than the recent Kaspersky Lab restrictions (justified or not), for an example. Of course, there are compliance requirements; but go beyond the letter of the law, and consider the rationale for them. In most cases, the law comes too late to prevent the damage that lead to the need for the law. [Leave the debate on if a particular law makes matters worse, for another discussion]

The basis for a decision on in-house, outsource, offshore should be data access driven; and that holds true for inside in-house, too. When thinking through that one, remember that all public-cloud is outsource, and may be offshore. That goes for all the public-cloud components for your company, your employees and your partners.

When it comes to outsourcing, the right choice is going to take some careful consideration.

Re: Don't look for plug-and-play employees, or discount all outsourcing

I would never endorse outsourcing for a cyber-security model - for it fails enough and often for just standardized (read that dumb) IT support. The educational resource of most IT outsource houses (Tata, Wipro, Infosys) just are not up to any par and theyhave trouble with just a standard IT technician. (I recently departed a lovely little office - paycheck job - that was outsourced to Wipro and A DISASTER in every way. Took the all powerful GSD (General Service Desk) NINE DAYS!!!!!!! TRUE ---- to route a ticket from one user to ME and we were on the same floor and office. BAD. So don't expect cybersecurity professionals to emerge from this venue.

And don't get me started on IBM - used to be a proud IBMer many years ago (the Akers era) and the firm is now a shadow of what it was. Ginny, 22 quarters of revenue decline. State of Indiana for example - lawsuit. More staff in INDIA than in the United States.

American trained IT professoinals who CARE PASSIONATELY about the subject is what is needed.

Re: Don't look for plug-and-play employees, or discount all outsourcing

You touch on one aspect of the hiring, training, in-house/outsource issue: the character of the people, or more to the point, of each individual.

While passion for the work is important, so are other attributes. You don't have to look far into the annals of cybersecurity failures to find examples of an employee or contract worker wreaking havoc through acts of negligence or outright betrayal of trust. What they share is poor character, and that they were put in a position of trust.

Evaluating a person's character can't be automated, and shouldn't be assumed by national origin. Benedict Arnold was as competent, as effective, had at least as good a CV, and was as much an American as George Washington - the difference was character.

Great article Dawn. As a security veteran with over 16 years of CISO experience I can attest how big a problem staffing is. You can't find the people and when you do, you train them and then lose them.

While we clearly need to train more personnel, the only way companies will be able to solve this problem is to replace legacy tools with new AI based systems that can leverage cognitive computing to perform many of the tasks that security personnel perform while also eliminating the false positives which not only increase workloads but often allows important events to slip through with the noise.

They will also leverage MSSPs to outsource as much of the workload as possible. MSSPs are much better positioned to hire and retain top personnel providing CISOs more resiliency, flexibility and scalability. The CISO just needs to maintain proper independent oversight to ensure they are getting what they are paying for because if the MSSP fails to deliver, it's the CISOs neck on the line.

Interesting survey and analysis but made by CISOs, therefore somehow biased. Does having a CISSP and an MSc in information security qualify you as a good CISO? Recruiters also are mainly focusing on those degrees and certifications when selecting candidates. Many CISOs are (mostly) technical people, very much focused on technology and lack more soft skills like communication, negotiations or strategic vision. How do you get funding for enlarging teams, change IT working processes and install new security systems if you are not able to convince people holding the funds?

Yet another consideration under "lack of competent in-house staff" is the CISO him/her self. By lacking competence, I mean competence surrounding the innerworkings of the lines of business and their respective objectives. CISO's get burnt at the stake so often and shuffled so frequently that building the necessary knowledge to support the business in an insightful and innovative way is almost impossible. Same goes for your business-facing security pros. The cyber job market remains white hot and it makes sense to jump roles/firms every 1.5 to 2 years just for the pay increase alone. When someone leaves, the accumulated knowledge that is valuable to the business is lost.

Too often security is "applied" to the surface, like patching a leaking life raft. Without the means to perceive the components of the business, as a system, you can't come to grips with the circumstances that put you in that life raft in the first place.

That lack of awareness isn't just a problem for the CISO or security departments, or IT, but for all the knowledge workers, from the C-level on down. It's not that knowledge of how the components actually work in an enterprise isn't there; but that the interdependencies haven't been formalized and documented, in a way that would properly inform. The only methodology I know of toward achieving that is fact-based, conceptual modeling.

Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.

Some Huawei smart phones with the versions before Berlin-L21HNC185B381; the versions before Prague-AL00AC00B223; the versions before Prague-AL00BC00B223; the versions before Prague-AL00CC00B223; the versions before Prague-L31C432B208; the versions before Prague-TL00AC01B223; the versions before Prag...

Huawei 1288H V5 and 288H V5 with software of V100R005C00 have a JSON injection vulnerability. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Due to insufficient verification of the input, this could be exploited to obtain the management privile...